Edit

Share via

Hotpatch updates (public preview)

  • Article

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

Important

This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.

Hotpatch updates are Monthly B release security updates that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.

Key benefits

  • Hotpatch updates streamline the installation process and enhance compliance efficiency.
  • No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
  • The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.

Eligible devices

To benefit from Hotpatch updates, devices must meet the following prerequisites:

  • Operating System: Devices must be running Windows 11 24H2 or later.
  • VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
  • Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see Release notes for Hotpatch.

Ineligible devices

Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.

LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.

Note

If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.

Release cycles

For more information about the release calendar for Hotpatch updates, see Release notes for Hotpatch.

  • Baseline Release Months: January, April, July, October
  • Hotpatch Release Months: February, March, May, June, August, September, November, December

Enroll devices to receive Hotpatch updates

Note

If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.

To enroll devices to receive Hotpatch updates:

  1. Go to the Intune admin center.
  2. Select Devices from the left navigation menu.
  3. Under the Manage updates section, select Windows updates.
  4. Go to the Quality updates tab.
  5. Select Create, and select Windows quality update policy (preview).
  6. Under the Basics section, enter a name for your new policy and select Next.
  7. Under the Settings section, set "When available, apply without restarting the device ("hotpatch") to Allow. Then, select Next.
  8. Select the appropriate Scope tags or leave as Default and select Next.
  9. Assign the devices to the policy and select Next.
  10. Review the policy and select Create.

These steps ensure that targeted devices, which are eligible to receive Hotpatch updates, are configured properly. Ineligible devices are offered the latest cumulative updates (LCU).

Note

Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings will still apply.